{ "name": "Uptick in Bomgar RMM Exploitation", "slug": "uptick-in-bomgar-rmm-exploitation", "description": "Since early April 2026, security researchers have observed a significant increase in attacks targeting Bomgar remote monitoring and management instances, exploiting CVE-2026-1731, a critical vulnerability disclosed in February. Threat actors have compromised Bomgar RMM to target downstream customers of MSPs and other service providers, affecting over 78 businesses in one incident alone. Attackers deploy LockBit ransomware, create privileged administrator accounts for persistence, install additional remote access tools like AnyDesk and ScreenConnect, and conduct domain reconnaissance. Some incidents involved attempts to disable security tools using BYOVD techniques. The attacks primarily target organizations running outdated Bomgar versions vulnerable to remote code execution, with compromised instances belonging to dental software companies and MSPs enabling widespread impact across their customer bases.", "published": "2026-04-17T21:18:57+00:00", "created_at": "2026-04-17T21:18:57+00:00", "modified_at": "2026-04-20T08:52:16+00:00", "created_at_opencti": "2026-04-17T21:18:57+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-17", "CVE-2026-1731", "anydesk", "atera", "bomgar", "byovd", "lockbit", "msp targeting", "poisonkiller", "ransomware", "remote access tools", "rmm exploitation", "screenconnect", "simplehelp" ], "related_entities": { "observables": [ { "id": "", "name": "b44dd12179a15a7d89c18444d36e8d70b51d30c7989d3ab71330061401f731fe" }, { "id": "", "name": "3529b1422da886b7d04555340dfb1efd44a625c2921af6df39819397176956d6" }, { "id": "", "name": "538b3b36dd8a30e721cc8dc579098e984cf8ed30b71d55303db45c7344f7a4cf" }, { "id": "", "name": "a5035cbd6c31616288aa66d98e5a25441ee38651fb5f330676319f921bb816a4" }, { "id": "", "name": "bc9635dcc3444c18b447883c6bc1931e5373e48c7dbfaa607285a9fb668b03ea" } ], "malware": [ { "id": "6fd78f75-0163-4777-a392-6c23ea15731d", "name": "LockBit", "slug": "lockbit" }, { "id": "bb4a30a9-acb8-4bf0-b4c2-c022f41dd9a9", "name": "Atera", "slug": "atera" }, { "id": "legacy:malware:3090189ff8d7a971", "name": "SimpleHelp", "slug": "simplehelp" }, { "id": "legacy:malware:10e289c54aab847f", "name": "PoisonKiller", "slug": "poisonkiller" }, { "id": "7193649e-f5a2-4601-8529-3e35ea193839", "name": "AnyDesk", "slug": "anydesk" }, { "id": "legacy:malware:1e181522bb980dc7", "name": "ScreenConnect", "slug": "screenconnect" } ], "attack_patterns": [ { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "566a4023-1f45-4988-a451-e1564d7dfef4", "name": "T1136.002" }, { "id": "4f0fd880-1731-42a7-88ed-97bb3c1c1571", "name": "T1136.001" }, { "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664", "name": "T1068" }, { "id": "a1c59366-9e3a-46a3-aa83-863bebc8b3e1", "name": "T1484" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "7f478f8c-06a4-4ce6-ac08-2947bca8463c", "name": "T1069.001" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099", "name": "T1098" }, { "id": "b9eab970-53dd-4977-9a26-c4fe566e422d", "name": "T1133" }, { "id": "28784df4-38e7-4195-b0aa-bd35746dfbe7", "name": "T1069.002" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5", "name": "T1135" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2026-1731" } ], "others": [ { "id": "", "name": "Technology" }, { "id": "", "name": "Healthcare" } ] }, "external_refs": [ "https://www.huntress.com/blog/uptick-bomgar-exploitation", "https://otx.alienvault.com/pulse/69e2bfe152d44136b3c83ec3" ] }